Apple fixes iPhone and iPad bug exploited in ‘extremely sophisticated attacks’
February 10, 2025
Apple released iOS and iPadOS updates to address a zero-day likely exploited in extremely sophisticated attacks targeting specific individuals.
Apple released emergency security updates to address a zero-day vulnerability, tracked as CVE-2025-24200, that the company believes was exploited in “extremely sophisticated” targeted attacks.
An attacker could have exploited the vulnerability to disable the USB Restricted Mode “on a locked device.”
Apple’s USB Restricted Mode is a security feature introduced in iOS 11.4.1 to protect devices from unauthorized access via the Lightning port.
The USB Restricted Mode disables the data connection of the iPhone’s Lightning port after a specific interval of time, but it doesn’t interrupt the charging process. Any other data transfer would require the user to provide the passcode.
The IT giant fixed the vulnerability with improved state management.
“A physical attack may disable USB Restricted Mode on a locked device,” reads the release notes for iOS 18.3.1 and iPadOS 18.3.1.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”
Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School reported the vulnerability to the IT giant.
In November, Apple introduced another security feature (dubbed “inactivity reboot“) that automatically restarts iPhones after long idle times to re-encrypt data and make it harder to extract by forensic software.
The zero-day impacts the following devices: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Apple also released 17.7.5 to address the issues in iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation.
As usual, Apple did not publicly disclose details about the attacks exploiting the vulnerability or the threat actors responsible.
However, the circumstance that the Citizen Lab researchers discovered the attack suggests that the threat actor may have used a zero-day exploit to deliver commercial spyware in highly targeted attacks. Such kinds of attacks often rely on zero-day exploits to target journalists, dissidents, and opposition politicians with spyware.
Another possibility is that Apple is aware of physical access attacks on some of its devices, likely involving forensic tools like Cellebrite to unlock and extract data.
In September 2023, researchers at Citizen Lab reported that two actively exploited zero-day flaws (CVE-2023-41064 and CVE-2023-41061) fixed by Apple were used to infect devices with NSO Group’s Pegasus spyware.
According to the researchers, the two vulnerabilities were chained as part of a zero-click exploit, named BLASTPASS, used in attacks on iPhones running the latest version of iOS (16.6).
Citizen Lab reported that the exploit was used to install the Pegasus Spyware on the device belonging to an individual employed by a Washington DC-based civil society organization with international offices.
The experts reported that the exploit involved PassKit attachments containing malicious images that were sent to the victim from an attacker’s iMessage account.
In January, Apple released security updates to address 2025’s first zero-day vulnerability, tracked as CVE-2025-24085, actively exploited in attacks targeting iPhone users.
The vulnerability is a privilege escalation vulnerability that impacts the Core Media framework.
“A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2.” reads the advisory ([1], [2], [3], [4], [5]) published by the IT giant.
The Apple Core Media framework supports multimedia tasks like playback, recording, and manipulation of audio and video on iOS and macOS devices.
The company addressed the use after free issue with improved memory management.
Threat actors exploited the vulnerability to target devices running iOS before iOS 17.2.
The vulnerability impacts iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Apple addressed the issue with the release of iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, visionOS 2.3, and tvOS 18.3.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, zero-day)